CVE-2026-40991: Spring REST Docs XXE Injection in Remote API Documentation
Spring REST Docs, a popular documentation tool used by developers to generate API documentation from tests, contains an XML External Entity (XXE) injection vulnerability when documenting remote APIs over HTTP. An attacker who gains control of an API being documented—or convinces a developer to document a malicious API—can inject malicious XML that executes during the documentation-generation process. The attack requires the developer to actively run their documentation tests, making social engineering or API compromise the likely attack vector.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.9 MEDIUM · CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:L
- Weaknesses (CWE)
- CWE-611
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-10 / 2026-07-17
NVD description (verbatim)
When using spring-restdocs-webtestclient or spring-restdocs-restassured to document a remote API accessed over HTTP, an attacker who compromises the API or tricks the user into documenting a malicious API can perform an XXE injection attack when the documentation-generating tests are next executed. Affected versions: Spring REST Docs 4.0.0; 3.0.0 through 3.0.5; 2.0.0.RELEASE through 2.0.8.RELEASE.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-40991 is an XXE injection vulnerability (CWE-611) present in Spring REST Docs versions 4.0.0, 3.0.0–3.0.5, and 2.0.0.RELEASE–2.0.8.RELEASE when using the WebTestClient or REST Assured integrations to document remote HTTP-accessed APIs. The vulnerability arises from insufficient XML parsing protections during the documentation-generation phase. An attacker-controlled or compromised API endpoint can return malicious XML payloads designed to trigger XXE processing. When a developer executes documentation tests against such an endpoint, the XML parser may resolve external entities, potentially leading to information disclosure or denial of service. The attack surface is limited to development and CI/CD environments where documentation tests are actively executed.
Business impact
For organizations using Spring REST Docs in their development workflow, this vulnerability poses a supply-chain and insider-risk concern. Compromised third-party APIs or malicious documentation targets could inject XXE payloads into test execution environments, potentially exfiltrating sensitive configuration files, credentials, or environment data stored on developer machines or CI/CD runners. While the attack requires developer action (running tests), it could be triggered automatically in continuous integration pipelines, making it a vector for lateral movement or credential theft within development infrastructure.
Affected systems
Spring REST Docs versions 4.0.0, 3.0.0 through 3.0.5, and 2.0.0.RELEASE through 2.0.8.RELEASE are affected. The vulnerability specifically manifests when using the spring-restdocs-webtestclient or spring-restdocs-restassured modules to document remote APIs accessed via HTTP. Organizations using Spring REST Docs for local API documentation or not actively calling remote endpoints during test execution have lower exposure. Earlier versions prior to 2.0.0.RELEASE and patched versions (to be confirmed from vendor advisories) are not affected.
Exploitability
Exploitability is moderate. The CVSS score of 5.9 (MEDIUM, AV:N/AC:H/PR:N/UI:R) reflects that while the attack originates from the network, several factors limit practical exploitation: an attacker must either control or compromise the remote API being documented, the user must intentionally trigger documentation tests (though automation in CI/CD pipelines reduces this barrier), and successful exploitation depends on the target system's XML parser configuration. No public exploit code or active exploitation in the wild has been reported, and the vulnerability does not appear on the Known Exploited Vulnerabilities (KEV) catalog.
Remediation
Upgrade Spring REST Docs to patched versions that implement secure XML parsing defaults (versions and exact patch numbers should be verified against Broadcom's official security advisory). For immediate risk reduction, restrict documentation tests to trusted, internally-controlled APIs and disable remote API documentation in untrusted environments. Review CI/CD pipelines to ensure documentation test execution occurs only on validated, non-malicious endpoints. Implement network segmentation to limit what development environments can access.
Patch guidance
Consult Broadcom's official Spring REST Docs security advisory for exact patched version numbers and upgrade instructions. Generally, users should upgrade to the latest available version of their branch (e.g., 4.0.x or 3.0.x) and verify the patch date aligns with or exceeds the vulnerability publication date of June 10, 2026. Test patched versions in a non-production environment before production deployment to ensure compatibility with existing documentation workflows.
Detection guidance
Monitor for documentation test execution against unexpected or untrusted remote API endpoints in your CI/CD logs and developer environments. Flag any unusual XML parsing errors or exceptions during documentation generation. Review recent changes to API documentation targets in version control. Examine HTTP traffic from documentation test runners for connections to newly-added or suspicious remote endpoints. In security monitoring, look for XXE-related log entries (entity resolution, DOCTYPE declarations, external resource requests) in application logs during documentation test phases.
Why prioritize this
Despite the MEDIUM severity rating, this vulnerability warrants prompt attention for development-focused organizations. Spring REST Docs is widely used in Spring Boot and microservices ecosystems. The attack vector combines supply-chain risk (compromised APIs) with automation (CI/CD pipelines), creating a pathway for credential or data theft within development infrastructure. Organizations with strict API documentation practices or those only documenting internal APIs face lower risk and can prioritize other vulnerabilities; however, teams documenting external or third-party APIs should prioritize patching.
Risk score, explained
The CVSS 5.9 score balances network accessibility (AV:N) against a high attack complexity (AC:H) and required user interaction (UI:R). The attack requires compromise or control of a documented API and active test execution, preventing widespread automated exploitation. However, the high confidentiality impact (C:H) and potential for local denial of service (A:L) on development systems justify a MEDIUM rating rather than LOW. In environments where documentation tests run automatically in CI/CD, the UI:R (user interaction) factor becomes less restrictive.
Frequently asked questions
Does this vulnerability affect production applications using Spring REST Docs?
No. The vulnerability only manifests during documentation test generation, not in runtime application behavior. Production systems are unaffected unless they directly execute documentation tests (uncommon). The risk is limited to development and test environments.
Can this be exploited without network access to a remote API?
The vulnerability specifically requires documenting a remote API accessed over HTTP. Organizations that use Spring REST Docs only to document local or embedded APIs, or that do not call remote endpoints during test execution, are not vulnerable.
What is the practical impact of XXE injection in this context?
An attacker can read local files accessible to the test runner process (e.g., configuration files, credentials in environment variables, SSH keys) and potentially cause denial of service by requesting large external resources. Data exfiltration is the primary concern in CI/CD environments where sensitive data may be present.
Is there a workaround if I cannot patch immediately?
Yes. Restrict documentation tests to trusted, internally-managed APIs only. Disable or isolate CI/CD jobs that document external APIs. Implement network policies to prevent documentation test runners from accessing untrusted endpoints. These controls reduce (but do not eliminate) risk until patches are applied.
This analysis is based on information published as of July 17, 2026. Specific patch version numbers and upgrade instructions must be verified against Broadcom's official Spring REST Docs security advisory and vendor documentation. No warranty is provided regarding the completeness or accuracy of this assessment; organizations should conduct independent security testing and consult vendor guidance before implementing mitigations. This document does not constitute legal or regulatory compliance advice. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-8045MEDIUMXXE Information Disclosure in Schneider Electric StruxureWare Data Center Expert
- CVE-2026-47960HIGHColdFusion XXE Vulnerability Allows Arbitrary File Read
- CVE-2026-49383LOWIntelliJ IDEA UI Designer XML External Entity (XXE) Information Disclosure
- CVE-2026-41008MEDIUMSpring Authorization Server Open Redirect Vulnerability (CVSS 6.1)
- CVE-2026-41711MEDIUMSpring Data Commons Stack Overflow DoS Vulnerability – Analysis & Patch Guidance
- CVE-2026-41719MEDIUMSpring Data KeyValue & Redis SpEL Injection
- CVE-2026-41721MEDIUMSpring Data Commons Memory Exhaustion DoS Vulnerability
- CVE-2026-41695HIGHSpring Data Commons Denial of Service via Property Path Exhaustion